Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20150127174512.GB20691@openwall.com>
Date: Tue, 27 Jan 2015 20:45:12 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: Qualys Security Advisory <qsa@...lys.com>
Subject: Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

On Tue, Jan 27, 2015 at 09:21:32AM -0800, Michal Zalewski wrote:
> I find it... profoundly disappointing... that we get to learn about
> 0-days via PR agency leaks (or that external PR agencies get to know
> about 0-days before the rest of the world - hey, sounds like a juicy
> target).
> 
> That said, the advisory makes up for it...

I agree.  I am more concerned that PR agencies appear to have had early
access to this information than that the information leaked to the
public a few hours early.  When it did become public, everyone could
proceed with their advisories, updates, etc.  But before it did, who
knows what bad bugs with access to a PR agency's database or e-mail
could have been doing and for how long (I hope also just another few
hours, but I really don't know).

We use PGP on the linux-distros list (the issue was first brought to
there on January 18), but I doubt that communication between Qualys and
their PR agency, nor within the PR agency, was similarly encrypted.
Perhaps they were using some Word "documents" and stuff.  And even if it
were encrypted, notifying a PR agency early goes beyond need-to-know
from everyone else's security perspective.

Unfortunately, that's how PR agencies work, they want some "warm up"
time.  I think the only solution for companies like Qualys is to not try
to reap the usual PR benefits from this type of findings.  Have their
technical folks disclose to the proper technical channels instead, and
do not issue a formal press release - well, or do it a few days later,
referring not so much to the actual findings, but to how well the
company worked with the infosec community.  This would be better PR,
too, at least within the smaller but highly relevant infosec community.

Of course, personally I would not care about some company's PR, but I
realize that many companies do care and this affects the resources they
put into analyzing vulnerabilities (as you say, "the advisory makes up
for it").  Hence my thinking of a workaround above.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.